Threat Description

Email-Worm:W32/Brontok.N

Details

Summary

This type of worm is embedded in an e-mail attachment, and spreads using the infected
computer's e-mailing networks.

Removal

Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

Detailed instructions for F-Secure security products are available in the documentation found in the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for further assistance.

Technical Details

Email-Worm:W32/Brontok.N is a complex e-mail worm that also disables anti-virus software,
creates multiple copies of itself on a local hard disk, and takes measures to make
its removal difficult.

Brontok.N was found at the end of March 2006.

Installation

After the worm's file is started, it copies itself with different names to different
folders on a local hard drive. The file names can be semi-randomly generated or they
can be any of the following:

csrss.exe

inetinfo.exe

lsass.exe

services.exe

smss.exe

winlogon.exe

Some of the worm's files have hidden, system, and read-only attributes. The worm can
create its files with COM, EXE, and PIF extensions. Brontok worm creates multiple
launch points for the copied files. Those include startup Registry keys as well as
scheduled jobs. For example:

Hi,
I want to share my photo with you.
Wishing you all the best.
Regards,

The attachment name is:

photo.zip

To collect e-mail addresses to spread itself, the worm looks on drives from C: to
Z for address in files with the following extensions:

.asp

.bat

.cfm

.com

.com

.csv

.doc

.eml

.exe

.htm

.html

.php

.pif

.ppt

.scr

.txt

.wab

.xls

The discovered addresses are checked against a rather large list of strings. If part
of a discovered e-mail address matches an entry in that list, that e-mail address
is discarded.

The worm creates folders named Spread.Mail.Bro and Spread.Sent.Bro in one of its hidden
subfolders. The first folder contains the list of e-mail addresses that the worm harvested
from the infected computer. Each e-mail address is represented by a file that has
the same text as the c.bron.tok.txt file (see above).

When the worm sends an e-mail to an address, the corresponding file is moved to the
second folder. This is done to avoid sending the worm to the same address multiple
times.

Payload

In addition to its propagation efforts, the worm has a rather old-fashioned effect.
It can show the following texts in the command prompt window:

The effect is shown after the worm terminates applications that have the following
text strings in their window titles:

ahnlab

alwil

anti

avg

avira

b.e

baca bro !!!

bitdef

BROWNIES

bugil

cewe

cillin

CLEANER

cmd.exe

command prompt

commander

computer management

ertanto

folder option

group policy

hijack

kaspersky

killbox

killer

mcafee

movzx

naked

nod32

norman

norton

pcmedia

pc-media

peid

porn

PROCESS EXP

registry

REMOVER

robknot

rontok

rontox

scheduled task

sex

symantec

SYSINTERNAL

system configuration

task manager

task view

telanjang

trendmicro

trojan

virus

washer

windows script

wintask

worm

The worm disables Task Manager, Registry Editor, and terminates applications that
have the following text strings in their window titles:

ahnlab

aladdin

Alicia

Anti

ash

ashmaisv

aswupdsv

avast

avg

bitdef

ccapp

ccapps

cclaw

cillin

ctfmon

Dian

diary

dkernel

foto

grisoft

hijack

iexplorer

kangen

kaspersky

kill

lexplorer

machine

Mariana

mcaf

mcv

movzx

mspatch

nipsvc

njeeves

nod32

nopdb

norman

norton

nvcoas

opscan

panda

peid

poproxy

remove

riyani

Romantic

rontok

rontox

services.com

siti

sstray

symantec

sysinter

syslove

systray

trend

tskmgr

untukmu

update

virus

vptray

washer

wscript

xpshare

zlh

The worm modifies Windows HOSTS file to block access to the following domains:

17tahun.com

17tahun.net

17tahun.org

ae.trendmicro-europe.com

ae.trendmicro-europe.net

ae.trendmicro-europe.org

antivirus.com

anti-virus.com

antivirus.net

anti-virus.net

antivirus.org

anti-virus.org

backup.grisoft.com

backup.grisoft.net

backup.grisoft.org

bhs.com

bhs.net

bhs.org

blog.compactbyte.com

blog.compactbyte.net

blog.compactbyte.org

blogs.compactbyte.com

blogs.compactbyte.net

blogs.compactbyte.org

ca.com

ca.net

ca.org

castlecops.com

castlecops.net

castlecops.org

cheyenne.com

cheyenne.net

cheyenne.org

compactbyte.com

compactbyte.net

compactbyte.org

datafellows.com

datafellows.net

datafellows.org

download.mcafee.com

download.mcafee.net

download.mcafee.org

downloads1.kaspersky-labs.com

downloads1.kaspersky-labs.net

downloads1.kaspersky-labs.org

downloads2.kaspersky-labs.com

downloads2.kaspersky-labs.net

downloads2.kaspersky-labs.org

downloads3.kaspersky-labs.com

downloads3.kaspersky-labs.net

downloads3.kaspersky-labs.org

downloads4.kaspersky-labs.com

downloads4.kaspersky-labs.net

downloads4.kaspersky-labs.org

esafe.com

esafe.net

esafe.org

europe.f-secure.com

europe.f-secure.net

europe.f-secure.org

fajarweb.com

fajarweb.net

fajarweb.org

forum.vaksin.com

forum.vaksin.net

forum.vaksin.org

free-av.com

free-av.net

free-av.org

f-secure.com

f-secure.net

f-secure.org

grisoft.com

grisoft.net

grisoft.org

icubed.com

icubed.net

icubed.org

infokomputer.com

infokomputer.net

infokomputer.org

it.trendmicro-europe.com

it.trendmicro-europe.net

it.trendmicro-europe.org

jasakom.com

jasakom.net

jasakom.org

jeruk.padinet.com

jeruk.padinet.net

jeruk.padinet.org

kaskus.com

kaskus.net

kaskus.org

kaspersky.com

kaspersky.net

kaspersky.org

kaspersky-labs.com

kaspersky-labs.net

kaspersky-labs.org

liveupdate.symantec.com

liveupdate.symantec.net

liveupdate.symantec.org

liveupdate.symantecliveupdate.com

liveupdate.symantecliveupdate.net

liveupdate.symantecliveupdate.org

mcafee.com

mcafee.net

mcafee.org

mcafeeb2b.com

mcafeeb2b.net

mcafeeb2b.org

mcafeesecurity.com

mcafeesecurity.net

mcafeesecurity.org

nai.com

nai.net

nai.org

norman.com

norman.net

norman.org

norton.com

norton.net

norton.org

ontrack.com

ontrack.net

ontrack.org

padinet.com

padinet.net

padinet.org

pandasoftware.com

pandasoftware.net

pandasoftware.org

perantivirus.com

perantivirus.net

perantivirus.org

playboy.com

playboy.net

playboy.org

pornstargals.com

pornstargals.net

pornstargals.org

sands.com

sands.net

sands.org

sarc.com

sarc.net

sarc.org

secunia.com

secunia.net

secunia.org

securityresponse.symantec.com

securityresponse.symantec.net

securityresponse.symantec.org

sex-mission.com

sex-mission.net

sex-mission.org

sophos.com

sophos.net

sophos.org

symantec.com

symantec.net

symantec.org

trendmicro.com

trendmicro.net

trendmicro.org

trendmicro-europe.com

trendmicro-europe.net

trendmicro-europe.org

update.symantec.com

update.symantec.net

update.symantec.org

vaksin.com

vaksin.net

vaksin.org

vil.nai.com

vil.nai.net

vil.nai.org

virustotal.com

virustotal.net

virustotal.org

winantivirus.com

winantivirus.net

winantivirus.org

www.17tahun.com

www.17tahun.net

www.17tahun.org

www.ae.trendmicro-europe.com

www.ae.trendmicro-europe.net

www.ae.trendmicro-europe.org

www.antivirus.com

www.anti-virus.com

www.antivirus.net

www.anti-virus.net

www.antivirus.org

www.anti-virus.org

www.backup.grisoft.com

www.backup.grisoft.net

www.backup.grisoft.org

www.bhs.com

www.bhs.net

www.bhs.org

www.blog.compactbyte.com

www.blog.compactbyte.net

www.blog.compactbyte.org

www.blogs.compactbyte.com

www.blogs.compactbyte.net

www.blogs.compactbyte.org

www.ca.com

www.ca.net

www.ca.org

www.castlecops.com

www.castlecops.net

www.castlecops.org

www.cheyenne.com

www.cheyenne.net

www.cheyenne.org

www.compactbyte.com

www.compactbyte.net

www.compactbyte.org

www.datafellows.com

www.datafellows.net

www.datafellows.org

www.download.mcafee.com

www.download.mcafee.net

www.download.mcafee.org

www.downloads1.kaspersky-labs.com

www.downloads1.kaspersky-labs.net

www.downloads1.kaspersky-labs.org

www.downloads2.kaspersky-labs.com

www.downloads2.kaspersky-labs.net

www.downloads2.kaspersky-labs.org

www.downloads3.kaspersky-labs.com

www.downloads3.kaspersky-labs.net

www.downloads3.kaspersky-labs.org

www.downloads4.kaspersky-labs.com

www.downloads4.kaspersky-labs.net

www.downloads4.kaspersky-labs.org

www.esafe.com

www.esafe.net

www.esafe.org

www.europe.f-secure.com

www.europe.f-secure.net

www.europe.f-secure.org

www.fajarweb.com

www.fajarweb.net

www.fajarweb.org

www.forum.vaksin.com

www.forum.vaksin.net

www.forum.vaksin.org

www.free-av.com

www.free-av.net

www.free-av.org

www.f-secure.com

www.f-secure.net

www.f-secure.org

www.grisoft.com

www.grisoft.net

www.grisoft.org

www.icubed.com

www.icubed.net

www.icubed.org

www.infokomputer.com

www.infokomputer.net

www.infokomputer.org

www.it.trendmicro-europe.com

www.it.trendmicro-europe.net

www.it.trendmicro-europe.org

www.jasakom.com

www.jasakom.net

www.jasakom.org

www.jeruk.padinet.com

www.jeruk.padinet.net

www.jeruk.padinet.org

www.kaskus.com

www.kaskus.net

www.kaskus.org

www.kaspersky.com

www.kaspersky.net

www.kaspersky.org

www.kaspersky-labs.com

www.kaspersky-labs.net

www.kaspersky-labs.org

www.liveupdate.symantec.com

www.liveupdate.symantec.net

www.liveupdate.symantec.org

www.liveupdate.symantecliveupdate.com

www.liveupdate.symantecliveupdate.net

www.liveupdate.symantecliveupdate.org

www.mcafee.com

www.mcafee.net

www.mcafee.org

www.mcafeeb2b.com

www.mcafeeb2b.net

www.mcafeeb2b.org

www.mcafeesecurity.com

www.mcafeesecurity.net

www.mcafeesecurity.org

www.nai.com

www.nai.net

www.nai.org

www.norman.com

www.norman.net

www.norman.org

www.norton.com

www.norton.net

www.norton.org

www.ontrack.com

www.ontrack.net

www.ontrack.org

www.padinet.com

www.padinet.net

www.padinet.org

www.pandasoftware.com

www.pandasoftware.net

www.pandasoftware.org

www.perantivirus.com

www.perantivirus.net

www.perantivirus.org

www.playboy.com

www.playboy.net

www.playboy.org

www.pornstargals.com

www.pornstargals.net

www.pornstargals.org

www.sands.com

www.sands.net

www.sands.org

www.sarc.com

www.sarc.net

www.sarc.org

www.secunia.com

www.secunia.net

www.secunia.org

www.securityresponse.symantec.com

www.securityresponse.symantec.net

www.securityresponse.symantec.org

www.sex-mission.com

www.sex-mission.net

www.sex-mission.org

www.sophos.com

www.sophos.net

www.sophos.org

www.symantec.com

www.symantec.net

www.symantec.org

www.trendmicro.com

www.trendmicro.net

www.trendmicro.org

www.trendmicro-europe.com

www.trendmicro-europe.net

www.trendmicro-europe.org

www.update.symantec.com

www.update.symantec.net

www.update.symantec.org

www.vaksin.com

www.vaksin.net

www.vaksin.org

www.vil.nai.com

www.vil.nai.net

www.vil.nai.org

www.virustotal.com

www.virustotal.net

www.virustotal.org

www.winantivirus.com

www.winantivirus.net

www.winantivirus.org

SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis